Vulnerable WordPress Plugins Report for the Week of November 10, 2017

Vulnerable Plugins

The most interesting disclosure this week, in my opinion, is that for the Animated Weather Widget plugin reported by WordFence. While the plugin itself did not contain a vulnerability, the plugin generated an iframe that contained content from weatherfor.us which include Crypto Mining code. This isn’t the firsttime we’ve heard of crypto mining software being snuck onto a WordPress site, nor the first time it’s shown up on othertypes of sites, but the first time I’ve heard of it being snuck on in this manner. It should be a wake-up call to any plugin and theme developers that might include code, be it javascript or html, from other sites that you will have to diligently inspect that code’s contents before exposing it to your users.

Other Security News

I’m not a sysadmin so I don’t pay as close attention to disclosures in the rest of the stack as I do disclosures in the application layer. However, I noticed recently that a buffer overflow vulnerability was disclosed for many versions of PHP which was patched at the end of October. If your institution is like mine, they only patch servers once a month. In this case, the patch was released after the patch window for October, and well before the window for November. I would encourage you to check your institution’s version to see what version you have installed and work with your system administrator(s) to do an emergency patch if you are running a vulnerable version.